PCI Community to Weigh inProposed Changes Get First Public Airing
Topics such as encryption and chip and PIN are expected to play significant roles in discussions at this week's Payment Card Industry Security Standard Council Community Meeting in Orlando, Fla.
The annual two-day event, hosted by the PCI Security Standards Council, has been held since 2006. This year, the event is expected to draw 1,000 attendees from more than 44 countries -- the largest North American community meeting to date. The North American event will be followed up Oct. 18 with a European community meeting in Barcelona.
The meetings offer members of the payments community a final opportunity to review and suggest changes to new versions of PCI standards just before they are released. This year, those changes affect versions 2.0 of PCI DSS and PA DSS. However, this year's final versions, expected to be released Oct. 28, will only include clarifications, not new requirements. The changes take effect in January.
"The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data," said Bob Russo, general manager of the council, during an August interview, when the council released a summary of expected changes. "With the changes to the PCI DSS and PA DSS outlined in advance, organizations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data."
Summary of ChangesThe expected changes fall into three main categories:
- Clarification: Clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements;
- Additional Guidance: Provides further information on a particular topic to increase understanding of the intent of the requirement;
- Evolving Requirements: Ensures the standards are up-to-date with emerging threats and changes in the marketplace.
- The need for scoping prior to PCI DSS assessment in order to understand where cardholder data resides or is inadvertently stored;
- Support for centralized logging included in PA DSS to promote more effective log management;
- Validation of risk-based approach for addressing vulnerabilities;
- Greater alignment between PCI DSS and PA DSS.
Tokenization and encryption - two of the technologies most frequently referenced by critics of PCI - did not make it into the new versions, but are expected to come up in this week's discussions. "There will be additional guidance coming later in the year, so at the community meeting as well as after the community meeting, we will be issuing guidance on CHIP, point-to-point encryption and tokenization," Russo says. "We'll be letting people know that if they are using one of these layered security technologies, this is how it lines up with the standard."
Three-Year Cycle: 'Positive Change'One significant change that will be announced: This year marks the last two-year cycle for changes to PCI standards. Going forward, revisions will only be made every three years. The extended life cycle is expected to give merchants and financial institutions more time to comply with existing guidance.
That's a positive change, says Denise Mainquist, a certified information systems auditor for IT Project Management, Audit and Controls Consulting LLC, and an independent consultant who works with merchants on PCI compliance. Since most merchants are not in compliance with current PCI requirements anyway, Mainquist says the additional life cycle gives everyone more time to complete audits and ensure they are meeting current requirements before those requirements change. The two-year cycle, she says, was too short.
"A lot up to this point has been left to the QSAs to interpret," Mainquist says. "Having more clarification and time to comply will help the merchants."
The council was criticized by some industry analysts for not being more aggressive with changes to PCI DSS and PA DSS this time around. Extending the life cycle could be met with criticism as well, since existing standards will be on the books longer. But Mainquist says most of those criticisms are born from a misunderstanding of the council's role.
"The Standards Council is not the enforcement agency," she says. "The standards only say what the QSAs need to do, and since most merchants are not meeting current requirements, giving them more clarification and more time makes sense."